Configuring Shibboleth 1.1 target side on
Debian GNU/Linux 3.0r1 stable/i386 (woody)
-----------------------------------------
* location: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/
* [where you also find sample config files]
* authors: Valery Tschopp & Thomas Lenggenhager & Urs Marti, SWITCH
* contact: aai@switch.ch
* version: 2.5 - 20030930
* This guide is only an addition to the original Shibboleth 1.1
* Target-Deployment Guide which you should read first.
* References to that original guide are marked as
* (see TARG-chapter#)
PHP4 (see TARG-3.a)
----
There is no problem with interoperating with PHP4 under Debian,
since the Debian package 'php4' neither includes 'pspell' nor
'xslt-sablot'.
/etc/init.d/apache (see TARG-3.c)
------------------
A modifyed apache script for Debian, which starts and shutdowns
the SHAR daemon process as well, you can find in the sample file
init.d-apache-debian
/etc/apache/httpd.conf (see TARG-3.c, TARG-4.d, TARG-5.a)
--------------------------
A sample httpd.conf.addon file is in the sample file directory.
# this is just an extract of an Apache 1.3.x httpd.conf file with
# the special things required for SWITCHaai integration.
LoadModule shibrm_module /opt/shibboleth/libexec/mod_shibrm.so
LoadModule shire_module /opt/shibboleth/libexec/mod_shire.so
SHIREConfig /opt/shibboleth/etc/shibboleth/shibboleth.ini
SHIREURL /shibboleth/SHIRE
SetHandler shib-shire-post
# some sample auhorization restrictions derived from the SWITCHaai demo server
#
AuthType shibboleth
ShibExportAssertion On
require uniqueID 3141592@domain.ch
AuthType shibboleth
ShibExportAssertion On
require valid-user
AuthType shibboleth
ShibExportAssertion On
require affiliation ~ ^staff$
AuthType shibboleth
ShibExportAssertion On
require affiliation ~ ^student$
/var/log/shibboleth
-------------------
Make the directory for the shar and shire logfiles
$ su
Password
# mkdir /var/log/shibboleth
# exit
Make sure that /var/log/shibboleth/shire.log is writable for the
web server, since SHIRE is an Apache module and runs with the web
server privileges.
/opt/shibboleth/etc/shibboleth/shar.logger
-------------------------------------
log4j.rootCategory=DEBUG, syslog
log4j.appender.syslog=org.apache.log4j.RollingFileAppender
log4j.appender.syslog.fileName=/var/log/shibboleth/shar.log
log4j.appender.syslog.maxFileSize=1000000
log4j.appender.syslog.maxBackupIndex=10
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
/opt/shibboleth/etc/shibboleth/shire.logger
--------------------------------------
log4j.rootCategory=DEBUG, syslog
log4j.appender.syslog=org.apache.log4j.RollingFileAppender
log4j.appender.syslog.fileName=/var/log/shibboleth/shire.log
log4j.appender.syslog.maxFileSize=1000000
log4j.appender.syslog.maxBackupIndex=10
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
/opt/shibboleth/etc/shibboleth/shibboleth.ini (see TARG-4)
----------------------------------------
[general]
logger=/opt/shibboleth/etc/shibboleth/shibboleth.logger
schemadir=/opt/shibboleth/etc/shibboleth
sharsocket=/tmp/shar-socket
# SERVER CONFIGURATION
# Optional, may also be set per-server (or per-directory in Apache)
#normalizeRequest = true
#checkIPAddress = false
#contentSSLOnly = false
#exportAssertion = false
# These timeouts apply to session validity at the target for IIS
# Apache session control is per-directory with Apache commands
#authLifetime = 7200
#authTimeout = 3600
supportContact=target-support@domain.ch
logoLocation=/logo.gif
# Mandatory
wayfURL = https://wayf1.switch.ch/SWITCHaai/WAYF
cookieName = shib-cookie
shireSSLOnly = false
shireError=/opt/shibboleth/etc/shibboleth/shireError.html
rmError=/opt/shibboleth/etc/shibboleth/rmError.html
accessError=/opt/shibboleth/etc/shibboleth/accessError.html
# Mandatory for IIS, set for Apache with SHIREURL command
#shireURL = /Shibboleth.shire
[shire]
logger=/opt/shibboleth/etc/shibboleth/shire.logger
metadata=metadata_shire
[shar]
logger=/opt/shibboleth/etc/shibboleth/shar.logger
# If using a TCP-based SHAR, space delimit the allowed client IPs
#sharacl = 127.0.0.1
metadata=metadata_shar
# Should provide a key-pair and certificate
# Can use mod_ssl's server.crt/server.key if you set file permissions
certfile=/etc/apache/ssl.crt/serverKey.crt
keyfile=/etc/apache/sssl.key/serverKey.key
#keypass=
calist=/etc/apache/ssl.crt/ca-bundle.crt
# Controls timeouts for AA queries (in seconds)
AATimeout=60
AAConnectTimeout=30
# The following shar items are session caching parameters
# The default cache now uses a MySQL embedded database
cacheType=memory
#cacheType=mysql
# how often to run the cache cleanup thread (in seconds)
cacheClean=300
# These timeouts apply to session caching, irrespesctive of validity
# Sessions can be deleted before they expire, so these should usually
# be at least as long as session policy itself.
cacheTimeout=3600
#mysql-cache-timeout = 14400
# Only needed if the MySQL cache plugin is used.
[extensions:saml]
#mysql = /opt/shibboleth/libexec/shib-mysql-ccache.so
# Arguments for the MySQL embedded database
# Make sure the datadir exists.
[mysql]
#arg1 = --language=/opt/shibboleth/share/english
#arg2 = --datadir=/opt/shibboleth/data
[metadata_shire]
edu.internet2.middleware.shibboleth.metadata.XML=/opt/shibboleth/etc/shibboleth/sites.xml
edu.internet2.middleware.shibboleth.target.AAP.XML=/opt/shibboleth/etc/shibboleth/AAP.xml
[metadata_shar]
edu.internet2.middleware.shibboleth.metadata.XML=/opt/shibboleth/etc/shibboleth/sites.xml
edu.internet2.middleware.shibboleth.trust.XML=/opt/shibboleth/etc/shibboleth/trust.xml
edu.internet2.middleware.shibboleth.target.AAP.XML=/opt/shibboleth/etc/shibboleth/AAP.xml
[isapi]
# When using the ISAPI filter version, map IIS Instance IDs to server names.
#
#1=my.server.name
[policies]
# This is a sample policy URI used by the InCommon pilot origins.
# You can filter incoming users at a high level by listing the policies to allow.
# InQueue=urn:mace:inqueue
SWITCHaai=urn:mace:switch.ch:SWITCHaai:pilot
# To define per-server or per-vhost settings, create a section
# for the server's hostname and set or override configuration.
#[my.server.name]
#normalizeRequest = true
#checkIPAddress = false
#contentSSLOnly = false
#authLifetime = 7200
#authTimeout = 3600
#exportAssertion = false
# For IIS, determine what content to protect by specifying strings
# to match against the request path. Separate matches with semicolons.
#mustContain = /secure/;/protected/
# list of attributes to request for server "my.server.name"
# requests everything if this doesn't exist or is empty
#requestAttributes =
AAP.xml (see TARG-4.e)
-------
The sample AAP.xml contains all attributes defined in the 'Authorization
Attribute Specification'
You can find the long file at
http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/target/AAP.xml
siterefresh (see TARG-4.g)
-----------
$ /usr/local/bin/siterefresh --out sites.xml --url http://wayf1.switch.ch/SWITCHaai/sites.xml